Your message dated Mon, 28 Jul 2025 09:21:05 +0000
with message-id <[email protected]>
and subject line Bug#1108784: fixed in poppler 25.03.0-5
has caused the Debian Bug report #1108784,
regarding poppler: CVE-2025-52886
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108784: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108784
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: poppler
Version: 25.03.0-4
Severity: important
Tags: security upstream
Forwarded: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for poppler.
CVE-2025-52886[0]:
| Poppler is a PDF rendering library. Versions prior to 25.06.0 use
| `std::atomic_int` for reference counting. Because `std::atomic_int`
| is only 32 bits, it is possible to overflow the reference count and
| trigger a use-after-free. Version 25.06.0 patches the issue.
Unfortunately it looks that the report came in while there was already
some rejactoring in the refcounting, cf. [2] so this might come more
intrusive.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-52886
https://www.cve.org/CVERecord?id=CVE-2025-52886
[1] https://gitlab.freedesktop.org/poppler/poppler/-/issues/1581
[2] https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1794
[3] https://securitylab.github.com/advisories/GHSL-2025-054_poppler/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: poppler
Source-Version: 25.03.0-5
Done: Jeremy Bícha <[email protected]>
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <[email protected]> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 28 Jul 2025 10:55:12 +0200
Source: poppler
Built-For-Profiles: noudeb
Architecture: source
Version: 25.03.0-5
Distribution: unstable
Urgency: high
Maintainer: Debian freedesktop.org maintainers
<[email protected]>
Changed-By: Jeremy Bícha <[email protected]>
Closes: 1108784
Changes:
poppler (25.03.0-5) unstable; urgency=high
.
[ Marc Deslauriers ]
* SECURITY UPDATE: DoS via reference count overflow
- debian/patches/CVE-2025-52886.patch: limit amount of annots per
document/page in poppler/Annot.cc, poppler/Page.cc.
- CVE-2025-52886 (Closes: #1108784)
Checksums-Sha1:
c66e197423a14d1127b29d6bf0e721f7bacee9f6 3934 poppler_25.03.0-5.dsc
272b255669bd46975c06d3bacc9bb7f5dca74fd6 42088 poppler_25.03.0-5.debian.tar.xz
bbbac17efa145776f509e72f8a77e43bd4a257b8 17065
poppler_25.03.0-5_source.buildinfo
Checksums-Sha256:
a97af74e39bd6731d2017402176a5241edc01badb2203dd79ee3adc0ab93bd15 3934
poppler_25.03.0-5.dsc
8f7dddaee9a2f61480c4dfae6923f06749f0ab98d24203363fac4841d2237953 42088
poppler_25.03.0-5.debian.tar.xz
5e19e85966171850e2f2d816297283177b7e29a36f52bff665afcd1098067642 17065
poppler_25.03.0-5_source.buildinfo
Files:
cff445d955e50a88c06c0d0eedd07786 3934 devel optional poppler_25.03.0-5.dsc
46d8689441a68f5f79e005c78e6466a3 42088 devel optional
poppler_25.03.0-5.debian.tar.xz
37942fd39558dd5f26e182ab980da6d2 17065 devel optional
poppler_25.03.0-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmiHPZ4ACgkQ5mx3Wuv+
bH2sqw/+PRW3nsKch8CRftdCAGldWxUnLHkBoQYIrSzaEVs2So6Caf8pXx0eeFEn
9bZFhtsMVsutrUIoW3wD2ydgmFOV+2dp4TGoOF9YTuv6l23FWBHPAy2aPy5fQpM4
vpjYc9f4zJoBFUPN2adopy4134Nl/Zs4a1v696N3yPDVIZy7CpeEBH2EvBHYwg6S
g2xye1G+A9lTK24KyU93CWMGFKuqcXeyPODkKQ3dy9qJnI7DmhqL+YiiPB2sDLPk
d6/FaRUUGXfvbGs701VnmQGcPNldmrNzyb9fNWhGv8ufsDyFKIecetxsnrM21q82
Vu14tFtH/W0lM3wzMk04R0dE6Ubnf17Ip3d1zoFBRlouVLTY5Y0xTyIS0joUSMs/
ebTZdlbgC3XxvJhwwgq4O4xyWg1hAOU9Y8ixOUB+oD1zruG/AOeUleM4b5/agn77
54P+Bw0p5O0QfIkDnwZoHPlyXoKCLFgqmQRTQ9qWDWdCPcv+Y3Qhalp1axQ7Pk9t
OLgrfwu+TUnbdehVGn9y3VuGjrE38g1D2tyBUz37wZsGFydK7AiKYqCmifgDj5e+
G1++byPOqbivyT9x6967dG2Q+VXDkb4N36fCbAKC3Vt1lEu5CB/I6ZwxktDYZ7D1
E6u/61qbc/fvhYaBv2tJGRrmNHdM0XsB80A4OKvfhDeqQW0Frt0=
=vEGc
-----END PGP SIGNATURE-----
pgp_Kh0rSQW05.pgp
Description: PGP signature
--- End Message ---
